Data Processing Standard

Last Reviewed Date 22 Jan 2024

This Data Processing Standard (“Standard”) forms part of the Terms of Service (“Principal Agreement”) between Felix Software Pty Ltd (“Company”) and you as the user (Organisation User as well as  Vendor User) of Felix (“User”) (together as the “Parties”).

WHEREAS

(A) The Company provides a platform for facilitating the vendor relationship management, electronic tendering / quoting and other related procurement activities (“Services”).

(B) The User wishes to use the Services and may be required to provide the Company with certain personal data of its users, employees, or other individuals (“Data Subjects”) for the purpose of enabling the Company to perform its obligations under relevant Master Services Agreements and written instructions (“Purpose”).

(C ) The Parties seek to implement a data processing standard that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”).

(D) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1.1.1 “Standard” means this Data Processing Standard and all Schedules;

1.1.2 “User’s Personal Data” means any Personal Data Processed by the Company on behalf of the User pursuant to or in connection with the Principal Agreement;

1.1.3 “Data Protection Laws” means EU Data Protection Laws and Australian Privacy Act 1988, to the extent applicable, the data protection or privacy laws of any other country;

1.1.4 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

1.1.5 “GDPR” means EU General Data Protection Regulation 2016/679;

1.1.7 “Data Transfer” means:

1.1.7.1 a transfer of User’s Personal Data from the User to the Company; or

1.1.7.2 an onward transfer of User’s Personal Data from the Company to a Subprocessor, or between two establishments of the Company, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer standard put in place to address the data transfer restrictions of Data Protection Laws);

1.1.8 “Services” means the platform and the services provided by the Company to the User;

1.1.9 “Subprocessor” means any person appointed by or on behalf of the Company to process Personal Data on behalf of the User in connection with the Agreement.

1.2 The terms “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of User Personal Data

2.1 The Company shall:

2.1.1 comply with all applicable Data Protection Laws in the Processing of User Personal Data; and

2.1.2 not Process User’s Personal Data in any other means other than under the Company’s documented process.

2.2 The User allows the Company to process User’s Personal Data for the following purposes:

2.2.1 Processing in accordance with the Principal Agreement and applicable Order Forms;

2.2.2 Processing initiated by the User in its use of the Services; and

2.2.3 Processing to comply with other reasonable instructions provided by the User (e.g., via email) where such instructions are consistent with the terms of the Principal Agreement.

3. Company’s Personnel

3.1 The Company shall take reasonable steps to ensure the reliability of any employee, agent or contractor of the Company who may have access to the User’s Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant User’s Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Company, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company shall in relation to the User’s Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 In assessing the appropriate level of security, the Company shall take account the risks that are presented by Processing, in particular from a Personal Data Breach.

5.1 The User authorises the Company to appoint (and permit each Subprocessor appointed in accordance with this section 5 to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Principal Agreement.

5.2 The Company may continue to use those Subprocessors already engaged by the Company as at the date of this Agreement, subject to the Company in each case as soon as practicable meeting the obligations set out in section 5.4.

5.3 The Company shall give the User prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If the User notifies the Company in writing of any objections (on reasonable grounds) to the proposed appointment shall determine whether to exercise the provision in GDPR to withdraw from the platform.

5.4 With respect to each Subprocessor, the Company shall:

5.4.1 before the Subprocessor first processes User’s Personal Data, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for User’s Personal Data required by the Principal Agreement;

5.4.2 ensure that the arrangement between the Company and the Subprocessor is governed by a written contract including terms which offer at least the same level of protection for User’s Personal Data as those set out in this Agreement and meet the requirements of article 28(3) of the GDPR.

6.1 Taking into account the nature of the Processing, the Company shall assist the User by implementing appropriate technical and organisational measures, insofar as this is possible, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

7.1 The Company shall notify the User without undue delay upon the Company becoming aware of a Personal Data Breach affecting User’s Personal Data, providing the User with sufficient information to allow the User to meet any obligations to report under the Data Protection Laws.

8.1 The Company shall provide reasonable effort to conduct data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities.

9.1 Subject to section 9.2, the Company shall promptly cease any Services involving the Processing of User’s Personal Data in accordance with the standards set out in the Company’s Privacy Notice.

9.2 The Company may retain User’s Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that the Company shall ensure the confidentiality of all such User’s Personal Data and shall ensure that such User Personal Data is Processed only for the purpose(s) specified in the Agreement and not disclosed to any third party unless required by such laws.

ANNEX A: LIST OF SUBPROCESSORS